Python hacker. Those are two words you really could use to describe me. At Immunity, I am lucky enough to work with people who actually, really, know how to code Python. I am not one of those people. I spend a great deal of my time penetration testing, and that requires rapid Python tool development, with a focus on execution and delivering results (not necessarily on prettiness, optimization, or even stability). Throughout this book you will learn that this is how I code, but I also feel as though it is part of what makes me a strong pentester. I hope that this philosophy and style helps you as well.
Black Hat Python: Python Programming for Hackers and Pentesters Justin Seitz Published by No Starch Press To Pat Although we never met, I am forever grateful for every member of your wonderful family you gave me Canadian Cancer Society www.cancer.ca About the Author Justin Seitz is a senior security researcher for Immunity, Inc., where he spends his time bug hunting, reverse engineering, writing exploits, and coding Python He is the author of Gray Hat Python, the first book to cover Python for security analysis About the Technical Reviewers Dan Frisch has over ten years of experience in information security Currently, he is a senior security analyst in a Canadian law enforcement agency Prior to that role, he worked as a consultant providing security assessments to financial and technology firms in North America Because he is obsessed with technology and holds a 3rd degree black belt, you can assume (correctly) that his entire life is based around The Matrix Since the early days of Commodore PET and VIC-20, technology has been a constant companion (and sometimes an obsession!) to Cliff Janzen Cliff discovered his career passion when he moved to information security in 2008 after a decade of IT operations For the past few years Cliff has been happily employed as a security consultant, doing everything from policy review to penetration tests, and he feels lucky to have a career that is also his favorite hobby Foreword Python is still the dominant language in the world of information security, even if the conversation about your language of choice sometimes looks more like a religious war Python-based tools include all manner of fuzzers, proxies, and even the occasional exploit Exploit frameworks like CANVAS are written in Python as are more obscure tools like PyEmu or Sulley Just about every fuzzer or exploit I have written has been in Python In fact, the automotive hacking research that Chris Valasek and I recently performed contained a library to inject CAN messages onto your automotive network using Python! If you are interested in tinkering with information security tasks, Python is a great language to learn because of the large number of reverse engineering and exploitation libraries available for your use Now if only the Metasploit developers would come to their senses and switch from Ruby to Python, our community would be united In this new book, Justin covers a large range of topics that an enterprising young hacker would need to get off the ground He includes walkthroughs of how to read and write network packets, how to sniff the network, as well as anything you might need for web application auditing and attacking He then spends significant time diving into how to write code to address specifics with attacking Windows systems In general, Black Hat Python is a fun read, and while it might not turn you into a super stunt hacker like myself, it can certainly get you started down the path Remember, the difference between script kiddies and professionals is the difference between merely using other people’s tools and writing your own Charlie Miller St Louis, Missouri September 2014 Preface Python hacker Those are two words you really could use to describe me At Immunity, I am lucky enough to work with people who actually, really, know how to code Python I am not one of those people I spend a great deal of my time penetration testing, and that requires rapid Python tool development, with a focus on execution and delivering results (not necessarily on prettiness, optimization, or even stability) Throughout this book you will learn that this is how I code, but I also feel as though it is part of what makes me a strong pentester I hope that this philosophy and style helps you as well As you progress through the book, you will also realize that I don’t take deep dives on any single topic This is by design I want to give you the bare minimum, with a little flavor, so that you have some foundational knowledge With that in mind, I’ve sprinkled ideas and homework assignments throughout the book to kickstart you in your own direction I encourage you to explore these ideas, and I would love to hear back any of your own implementations, tooling, or homework assignments that you have done As with any technical book, readers at different skill levels with Python (or information security in general) will experience this book differently Some of you may simply grab it and nab chapters that are pertinent to a consulting gig you are on, while others may read it cover to cover I would recommend that if you are a novice to intermediate Python programmer that you start at the beginning of the book and read it straight through in order You will pick up some good building blocks along the way To start, I lay down some networking fundamentals in Chapter and slowly work our way through raw sockets in Chapter and using Scapy in Chapter for some more interesting network tooling The next section of the book deals with hacking web applications, starting with your own custom tooling in Chapter and then extending the popular Burp Suite in Chapter From there we will spend a great deal of time talking about trojans, starting with GitHub command and control in Chapter 7, all the way through Chapter 10 where we will cover some Windows privilege escalation tricks The final chapter is about using Volatility for automating some offensive memory forensics techniques I try to keep the code samples short and to the point, and the same goes for the explanations If you are relatively new to Python I encourage you to punch out every line to get that coding muscle memory going All of the source code examples from this book are available at http://nostarch.com/blackhatpython/ Here we go! Acknowledgments I would like to thank my family — my beautiful wife, Clare, and my five children, Emily, Carter, Cohen, Brady, and Mason — for all of the encouragement and tolerance while I spent a year and a half of my life writing this book My brothers, sister, Mom, Dad, and Paulette have also given me a lot of motivation to keep pushing through no matter what I love you all To all my folks at Immunity (I would list each of you here if I had the room): thanks for tolerating me on a day-to-day basis You are truly an amazing crew to work with To the team at No Starch — Tyler, Bill, Serena, and Leigh — thanks so much for all of the hard work you put into this book and the rest in your collection We all appreciate it I would also like to thank my technical reviewers, Dan Frisch and Cliff Janzen These guys typed out and critiqued every single line of code, wrote supporting code, made edits, and provided absolutely amazing support throughout the whole process Anyone who is writing an infosec book should really get these guys on board; they were amazing and then some For the rest of you ruffians that share drinks, laughs and GChats: thanks for letting me piss and moan to you about writing this book Chapter Setting Up Your Python Environment This is the least fun — but nevertheless critical — part of the book, where we walk through setting up an environment in which to write and test Python We are going to a crash course in setting up a Kali Linux virtual machine (VM) and installing a nice IDE so that you have everything you need to develop code By the end of this chapter, you should be ready to tackle the exercises and code examples in the remainder of the book Before you get started, go ahead and download and install VMWare Player.[1] I also recommend that you have some Windows VMs at the ready as well, including Windows XP and Windows 7, preferably 32-bit in both cases Installing Kali Linux Kali is the successor to the BackTrack Linux distribution, designed by Offensive Security from the ground up as a penetration testing operating system It comes with a number of tools preinstalled and is based on Debian Linux, so you’ll also be able to install a wide variety of additional tools and libraries beyond what’s on the OS to start First, grab a Kali VM image from the following URL: http://images.offensive-security.com/kalilinux-1.0.9-vm-i486.7z.[2] Download and decompress the image, and then double-click it to make VMWare Player fire it up The default username is root and the password is toor This should get you into the full Kali desktop environment as shown in Figure 1-1 Figure 1-1 The Kali Linux desktop The first thing we are going to is ensure that the correct version of Python is installed This book will use Python 2.7 throughout In the shell (Applications▸Accessories▸Terminal), execute the following: root@kali:~# python version Python 2.7.3 root@kali:~# If you downloaded the exact image that I recommended above, Python 2.7 will be automatically installed Please note that using a different version of Python might break some of the code examples in this book You have been warned creating TCP clients, The Network: Basics creating TCP proxies, Kicking the Tires, Kicking the Tires, Building a TCP Proxy, Building a TCP Proxy, Building a TCP Proxy hex dumping function, Building a TCP Proxy proxy_handler function, Building a TCP Proxy reasons for, Kicking the Tires testing, Building a TCP Proxy creating TCP servers, TCP Server creating UDP clients, TCP Client netcat-like functionality, TCP Server (see netcat-like functionality) SSH tunneling, Kicking the Tires, Kicking the Tires, Kicking the Tires, Kicking the Tires, SSH Tunneling, SSH Tunneling, SSH Tunneling forward, Kicking the Tires, Kicking the Tires reverse, Kicking the Tires, SSH Tunneling, SSH Tunneling testing, SSH Tunneling SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko creating SSH server, SSH with Paramiko installing Paramiko, SSH with Paramiko key authentication, SSH with Paramiko running commands on Windows client over SSH, SSH with Paramiko testing, SSH with Paramiko network sniffers, The Network: Raw Sockets and Sniffing, The Network: Raw Sockets and Sniffing, The Network: Raw Sockets and Sniffing, Packet Sniffing on Windows and Linux, Packet Sniffing on Windows and Linux, Packet Sniffing on Windows and Linux, Decoding the IP Layer, Decoding the IP Layer, Decoding the IP Layer, Decoding the IP Layer, Kicking the Tires, Kicking the Tires, Kicking the Tires, Decoding ICMP, Decoding ICMP, Decoding ICMP, Decoding ICMP discovering active hosts on network segments, The Network: Raw Sockets and Sniffing ICMP message decoding routine, Kicking the Tires, Kicking the Tires, Kicking the Tires, Decoding ICMP, Decoding ICMP, Decoding ICMP, Decoding ICMP Destination Unreachable message, Kicking the Tires, Decoding ICMP length calculation, Decoding ICMP message elements, Kicking the Tires sending UDP datagrams and interpreting results, Decoding ICMP testing, Decoding ICMP IP header decoding routine, Packet Sniffing on Windows and Linux, Decoding the IP Layer, Decoding the IP Layer, Decoding the IP Layer, Decoding the IP Layer avoiding bit manipulation, Decoding the IP Layer human-readable protocol, Decoding the IP Layer testing, Decoding the IP Layer typical IPv4 header structure, Decoding the IP Layer promiscuous mode, Packet Sniffing on Windows and Linux setting up raw socket sniffer, Packet Sniffing on Windows and Linux Windows versus Linux, The Network: Raw Sockets and Sniffing new method, Decoding the IP Layer O offensive forensics automation, Automating Offensive Forensics, Automating Offensive Forensics, Automating Offensive Forensics, Grabbing Password Hashes, Direct Code Injection direct code injection, Direct Code Injection installing Volatility, Automating Offensive Forensics profiles, Automating Offensive Forensics recovering password hashes, Grabbing Password Hashes online resources, Setting Up Your Python Environment, Installing Kali Linux, WingIDE, The Network: Basics, SSH with Paramiko, SSH with Paramiko, The Network: Raw Sockets and Sniffing, Packet Sniffing on Windows and Linux, Kicking the Tires, Owning the Network with Scapy, Owning the Network with Scapy, PCAP Processing, PCAP Processing, Kicking the Tires, Kicking the Tires, Brute-Forcing HTML Form Authentication, Kicking the Tires, Extending Burp Proxy, Extending Burp Proxy, Extending Burp Proxy, Bing for Burp, Github Command and Control, Github Command and Control, Building a Github-Aware Trojan, Hacking Python’s import Functionality, Keylogging for Fun and Keystrokes, Taking Screenshots, Pythonic Shellcode Execution, Creating the Server, Windows Privilege Escalation, Windows Privilege Escalation, Creating a Process Monitor, Creating a Process Monitor, Process Monitoring with WMI, Kicking the Tires, Automating Offensive Forensics, Direct Code Injection, Direct Code Injection Bing API keys, Bing for Burp Burp, Extending Burp Proxy Cain and Abel, Kicking the Tires Carlos Perez, Kicking the Tires creating basic structure for repo, Github Command and Control DirBuster project, Kicking the Tires El Jefe project, Creating a Process Monitor facial detection code, PCAP Processing generating Metasploit payloads, Pythonic Shellcode Execution hacking Python import functionality, Hacking Python’s import Functionality Hussam Khrais, SSH with Paramiko Immunity Debugger, Direct Code Injection input/output control (IOCTL), Packet Sniffing on Windows and Linux Joomla administrator login form, Brute-Forcing HTML Form Authentication Jython, Extending Burp Proxy Kali Linux, Installing Kali Linux MessageBox shellcode, Direct Code Injection netaddr module, Kicking the Tires OpenCV, PCAP Processing Paramiko, SSH with Paramiko PortSwigger Web Security, Extending Burp Proxy privilege escalation example service, Windows Privilege Escalation py2exe, Building a Github-Aware Trojan PyCrypto package, Creating the Server PyHook library, Keylogging for Fun and Keystrokes Python GitHub API library, Github Command and Control Python WMI page, Creating a Process Monitor PyWin32 installer, Windows Privilege Escalation Scapy, Owning the Network with Scapy, Owning the Network with Scapy socket module, The Network: Basics SVNDigger, Kicking the Tires VMWare Player, Setting Up Your Python Environment Volatility framework, Automating Offensive Forensics Win32_Process class documentation, Process Monitoring with WMI Windows GDI, Taking Screenshots WingIDE, WingIDE Wireshark, The Network: Raw Sockets and Sniffing OpenCV, PCAP Processing, PCAP Processing os.walk function, Mapping Open Source Web App Installations owned flag, Man-in-the-Browser (Kind Of) P packet capture file processing, Kicking the Tires (see PCAP processing) packet.show() function, Stealing Email Credentials Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko creating SSH server, SSH with Paramiko installing, SSH with Paramiko running commands on Windows client over SSH, SSH with Paramiko SSH key authentication, SSH with Paramiko testing, SSH with Paramiko password-guessing wordlist, Turning Website Content into Password Gold, Turning Website Content into Password Gold, Turning Website Content into Password Gold, Turning Website Content into Password Gold, Turning Website Content into Password Gold converting selected HTTP traffic into wordlist, Turning Website Content into Password Gold functionality to display wordlist, Turning Website Content into Password Gold testing, Turning Website Content into Password Gold, Turning Website Content into Password Gold Payloads tab, Burp, Kicking the Tires, Kicking the Tires PCAP (packet capture file) processing, ARP Cache Poisoning with Scapy, Kicking the Tires, Kicking the Tires, PCAP Processing, PCAP Processing, PCAP Processing, PCAP Processing adding facial detection code, PCAP Processing adding supporting functions, PCAP Processing ARP cache poisoning results, ARP Cache Poisoning with Scapy coding processing script, PCAP Processing image carving script, Kicking the Tires testing, PCAP Processing Perez, Carlos, Kicking the Tires pip package manager, Installing Kali Linux POP3 credentials, stealing, Owning the Network with Scapy, Stealing Email Credentials populate_offsets function, Grabbing Password Hashes Port Unreachable error, Kicking the Tires PortSwigger Web Security, Extending Burp Proxy Positions tab, Burp, Kicking the Tires, Kicking the Tires post_to_tumblr function, IE COM Automation for Exfiltration privilege escalation, Windows Privilege Escalation, Windows Privilege Escalation, Windows Privilege Escalation, Creating a Process Monitor, Creating a Process Monitor, Process Monitoring with WMI, Process Monitoring with WMI, Windows Token Privileges, Windows Token Privileges, Winning the Race, Winning the Race, Winning the Race, Kicking the Tires code injection, Kicking the Tires installing example service, Windows Privilege Escalation installing libraries, Windows Privilege Escalation process monitoring, Creating a Process Monitor, Creating a Process Monitor, Process Monitoring with WMI testing, Process Monitoring with WMI with WMI, Creating a Process Monitor token privileges, Process Monitoring with WMI, Windows Token Privileges, Windows Token Privileges automatically retrieving enabled privileges, Windows Token Privileges outputting and logging, Windows Token Privileges winning race against code execution, Winning the Race, Winning the Race, Winning the Race creating file monitor, Winning the Race testing, Winning the Race prn parameter, Owning the Network with Scapy process monitoring, Creating a Process Monitor, Creating a Process Monitor, Process Monitoring with WMI winning race against code execution, Creating a Process Monitor, Process Monitoring with WMI testing, Process Monitoring with WMI with WMI, Creating a Process Monitor process_watcher function, Process Monitoring with WMI profile flag, Automating Offensive Forensics Proxy tab, Burp, Kicking the Tires, Kicking the Tires proxy_handler function, Building a TCP Proxy PSList class, Direct Code Injection py2exe, Building a Github-Aware Trojan PyCrypto package, Creating the Server, IE COM Automation for Exfiltration PyHook library, Keylogging for Fun and Keystrokes, Sandbox Detection Python GitHub API library, Github Command and Control PyWin32 installer, Windows Privilege Escalation Q Queue objects, Mapping Open Source Web App Installations, Brute-Forcing Directories and File Locations R random_sleep function, IE COM Automation for Exfiltration ReadDirectoryChangesW function, Winning the Race receive_from function, Building a TCP Proxy recvfrom() function, TCP Client registerIntruderPayloadGeneratorFactory function, Burp Fuzzing RegistryApi class, Grabbing Password Hashes Repeater tool, Burp, Burp Fuzzing Request class, The Socket Library of the Web: urllib2 request_handler function, Building a TCP Proxy request_port_forward function, SSH Tunneling reset function, Burp Fuzzing response_handler function, Building a TCP Proxy restore_target function, ARP Cache Poisoning with Scapy reverse SSH tunneling, Kicking the Tires, SSH Tunneling, SSH Tunneling reverse_forward_tunnel function, SSH Tunneling run function, Creating Modules S sandbox detection, Kicking the Tires Scapy library, Owning the Network with Scapy, Owning the Network with Scapy, Owning the Network with Scapy, Owning the Network with Scapy, Stealing Email Credentials, Stealing Email Credentials, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy, Kicking the Tires, PCAP Processing, PCAP Processing, PCAP Processing, PCAP Processing ARP cache poisoning, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy, ARP Cache Poisoning with Scapy adding supporting functions, ARP Cache Poisoning with Scapy coding poisoning script, ARP Cache Poisoning with Scapy inspecting cache, ARP Cache Poisoning with Scapy testing, ARP Cache Poisoning with Scapy installing, Owning the Network with Scapy PCAP processing, ARP Cache Poisoning with Scapy, Kicking the Tires, PCAP Processing, PCAP Processing, PCAP Processing, PCAP Processing adding facial detection code, PCAP Processing adding supporting functions, PCAP Processing ARP cache poisoning results, ARP Cache Poisoning with Scapy coding processing script, PCAP Processing image carving script, Kicking the Tires testing, PCAP Processing stealing email credentials, Owning the Network with Scapy, Owning the Network with Scapy, Stealing Email Credentials, Stealing Email Credentials applying filter for common mail ports, Stealing Email Credentials creating simple sniffer, Owning the Network with Scapy testing, Stealing Email Credentials Scope tab, Burp, Kicking the Tires, Turning Website Content into Password Gold screenshots, Kicking the Tires SeBackupPrivilege privilege, Windows Token Privileges Secure Shell, SSH with Paramiko (see SSH) SeDebugPrivilege privilege, Windows Token Privileges SelectObject function, Taking Screenshots SeLoadDriver privilege, Windows Token Privileges, Windows Token Privileges sendto() function, TCP Client server_loop function, Replacing Netcat SetWindowsHookEx function, Keylogging for Fun and Keystrokes shellcode execution, Taking Screenshots SimpleHTTPServer module, Pythonic Shellcode Execution Site map tab, Burp, Turning Website Content into Password Gold, Kicking the Tires SMTP credentials, stealing, Owning the Network with Scapy, Stealing Email Credentials sniff function, Owning the Network with Scapy socket module, The Network: Basics, The Network: Basics, TCP Client, TCP Server, TCP Server, Kicking the Tires building TCP proxies, Kicking the Tires creating TCP clients, The Network: Basics creating TCP servers, TCP Server creating UDP clients, TCP Client netcat-like functionality, TCP Server SOCK_DGRAM parameter, TCP Client SOCK_STREAM parameter, The Network: Basics SSH (Secure Shell), SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, Kicking the Tires, Kicking the Tires, Kicking the Tires, Kicking the Tires, SSH Tunneling, SSH Tunneling, SSH Tunneling tunneling, Kicking the Tires, Kicking the Tires, Kicking the Tires, Kicking the Tires, SSH Tunneling, SSH Tunneling, SSH Tunneling forward, Kicking the Tires, Kicking the Tires reverse, Kicking the Tires, SSH Tunneling, SSH Tunneling testing, SSH Tunneling with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko, SSH with Paramiko creating SSH server, SSH with Paramiko installing Paramiko, SSH with Paramiko key authentication, SSH with Paramiko running commands on Windows client over SSH, SSH with Paramiko testing, SSH with Paramiko ssh_command function, SSH with Paramiko Stack Data tab, WingIDE, WingIDE start_monitor function, Winning the Race store parameter, Stealing Email Credentials store_module_result function, Building a Github-Aware Trojan strip function, Turning Website Content into Password Gold subprocess library, Replacing Netcat SVNDigger, Kicking the Tires T TagStripper class, Turning Website Content into Password Gold tag_results dictionary, Brute-Forcing HTML Form Authentication Target tab, Burp, Kicking the Tires, Turning Website Content into Password Gold, Turning Website Content into Password Gold TCP clients, creating, The Network: Basics TCP proxies, Kicking the Tires, Kicking the Tires, Building a TCP Proxy, Building a TCP Proxy, Building a TCP Proxy creating, Kicking the Tires hex dumping function, Building a TCP Proxy proxy_handler function, Building a TCP Proxy reasons for building, Kicking the Tires testing, Building a TCP Proxy TCP servers, creating, TCP Server TCPServer class, Man-in-the-Browser (Kind Of) test_remote function, Mapping Open Source Web App Installations token privileges, Process Monitoring with WMI, Windows Token Privileges, Windows Token Privileges automatically retrieving enabled privileges, Windows Token Privileges outputting and logging, Windows Token Privileges transport method, SSH Tunneling trojans, Github Command and Control, Github Command and Control, Creating Modules, Trojan Configuration, Building a Github-Aware Trojan, Hacking Python’s import Functionality, Hacking Python’s import Functionality, Kicking the Tires, Common Trojaning Tasks on Windows, Keylogging for Fun and Keystrokes, Kicking the Tires, Taking Screenshots, Kicking the Tires GitHub-aware, Github Command and Control, Github Command and Control, Creating Modules, Trojan Configuration, Building a Github-Aware Trojan, Hacking Python’s import Functionality, Hacking Python’s import Functionality, Kicking the Tires account setup, Github Command and Control building, Building a Github-Aware Trojan configuring, Trojan Configuration creating modules, Creating Modules hacking import functionality, Hacking Python’s import Functionality improvements and enhancements to, Kicking the Tires testing, Hacking Python’s import Functionality Windows tasks, Common Trojaning Tasks on Windows, Keylogging for Fun and Keystrokes, Kicking the Tires, Taking Screenshots, Kicking the Tires keylogging, Keylogging for Fun and Keystrokes sandbox detection, Kicking the Tires screenshots, Kicking the Tires shellcode execution, Taking Screenshots Tumblr, Creating the Server U UDP clients, creating, TCP Client udp_sender function, Decoding ICMP urllib2 library, The Socket Library of the Web: urllib2, Taking Screenshots urlopen function, The Socket Library of the Web: urllib2 V VMWare Player, Setting Up Your Python Environment Volatility framework, Automating Offensive Forensics, Automating Offensive Forensics, Automating Offensive Forensics, Grabbing Password Hashes, Direct Code Injection direct code injection, Direct Code Injection installing, Automating Offensive Forensics profiles, Automating Offensive Forensics recovering password hashes, Grabbing Password Hashes W wait_for_browser function, Man-in-the-Browser (Kind Of) wb flag, Replacing Netcat web application attacks, Web Hackery, The Socket Library of the Web: urllib2, The Socket Library of the Web: urllib2, The Socket Library of the Web: urllib2, Mapping Open Source Web App Installations, Kicking the Tires, Brute-Forcing Directories and File Locations, Brute-Forcing Directories and File Locations, Brute-Forcing Directories and File Locations, Brute-Forcing Directories and File Locations, Brute-Forcing Directories and File Locations, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Kicking the Tires, Burp Fuzzing, Burp Fuzzing, Burp Fuzzing, Burp Fuzzing, Burp Fuzzing, Burp Fuzzing, Kicking the Tires, Kicking the Tires, Kicking the Tires, Kicking the Tires brute-forcing directories and file locations, Kicking the Tires, Brute-Forcing Directories and File Locations, Brute-Forcing Directories and File Locations, Brute-Forcing Directories and File Locations, Brute-Forcing Directories and File Locations, Brute-Forcing Directories and File Locations applying list of extensions to test for, Brute-Forcing Directories and File Locations creating list of extensions, Brute-Forcing Directories and File Locations creating Queue objects out of wordlist files, Brute-Forcing Directories and File Locations setting up wordlist, Brute-Forcing Directories and File Locations testing, Brute-Forcing Directories and File Locations brute-forcing HTML form authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Brute-Forcing HTML Form Authentication, Kicking the Tires administrator login form, Brute-Forcing HTML Form Authentication general settings, Brute-Forcing HTML Form Authentication HTML parsing class, Brute-Forcing HTML Form Authentication pasting in wordlist, Brute-Forcing HTML Form Authentication primary brute-forcing class, Brute-Forcing HTML Form Authentication request flow, Brute-Forcing HTML Form Authentication testing, Kicking the Tires GET requests, The Socket Library of the Web: urllib2, The Socket Library of the Web: urllib2, The Socket Library of the Web: urllib2, Mapping Open Source Web App Installations mapping open source web app installations, Mapping Open Source Web App Installations simple, The Socket Library of the Web: urllib2 socket library, The Socket Library of the Web: urllib2 using Request class, The Socket Library of the Web: urllib2 web application fuzzers, Burp Fuzzing, Burp Fuzzing, Burp Fuzzing, Burp Fuzzing, Burp Fuzzing, Burp Fuzzing, Kicking the Tires, Kicking the Tires, Kicking the Tires, Kicking the Tires accessing Burp documentation, Burp Fuzzing implementing code to meet requirements, Burp Fuzzing loading extension, Burp Fuzzing, Burp Fuzzing, Kicking the Tires simple fuzzer, Burp Fuzzing using extension in attacks, Kicking the Tires, Kicking the Tires, Kicking the Tires win32security module, Windows Token Privileges Win32_Process class, Process Monitoring with WMI, Process Monitoring with WMI Windows Graphics Device Interface (GDI), Kicking the Tires Windows privilege escalation, Windows Privilege Escalation, Windows Privilege Escalation, Windows Privilege Escalation, Creating a Process Monitor, Creating a Process Monitor, Process Monitoring with WMI, Process Monitoring with WMI, Windows Token Privileges, Windows Token Privileges, Winning the Race, Winning the Race, Winning the Race, Kicking the Tires code injection, Kicking the Tires installing example service, Windows Privilege Escalation installing libraries, Windows Privilege Escalation process monitoring, Creating a Process Monitor, Creating a Process Monitor, Process Monitoring with WMI testing, Process Monitoring with WMI with WMI, Creating a Process Monitor token privileges, Process Monitoring with WMI, Windows Token Privileges, Windows Token Privileges automatically retrieving enabled privileges, Windows Token Privileges outputting and logging, Windows Token Privileges winning race against code execution, Winning the Race, Winning the Race, Winning the Race creating file monitor, Winning the Race testing, Winning the Race Windows trojan tasks, Common Trojaning Tasks on Windows, Keylogging for Fun and Keystrokes, Kicking the Tires, Taking Screenshots, Kicking the Tires keylogging, Keylogging for Fun and Keystrokes sandbox detection, Kicking the Tires screenshots, Kicking the Tires shellcode execution, Taking Screenshots WingIDE, Installing Kali Linux, WingIDE, WingIDE, WingIDE, WingIDE, WingIDE, WingIDE, WingIDE, WingIDE, WingIDE, WingIDE, WingIDE accessing, WingIDE fixing missing dependencies, WingIDE general discussion, Installing Kali Linux inspecting and modifying local variables, WingIDE, WingIDE installing, WingIDE opening blank Python file, WingIDE setting breakpoints, WingIDE setting script for debugging, WingIDE, WingIDE viewing stack trace, WingIDE, WingIDE wordlist_menu function, Turning Website Content into Password Gold Wuergler, Mark, Creating a Process Monitor Black Hat Python: Python Programming for Hackers and Pentesters Justin Seitz Copyright © 2014 BLACK HAT PYTHON All rights reserved No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher 18 17 16 15 14 123456789 ISBN-10: 1-59327-590-0 ISBN-13: 978-1-59327-590-7 Publisher: William Pollock Production Editor: Serena Yang Cover Illustration: Garry Booth Interior Design: Octopod Studios Developmental Editor: Tyler Ortman Technical Reviewers: Dan Frisch and Cliff Janzen Copyeditor: Gillian McGarvey Compositor: Lynn L’Heureux Proofreader: James Fraleigh Indexer: BIM Indexing and Proofreading Services For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc directly: No Starch Press, Inc 245 8th Street, San Francisco, CA 94103 phone: 415.863.9900; info@nostarch.com www.nostarch.com Library of Congress Control Number: 2014953241 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc Other product and company names mentioned herein may be the trademarks of their respective owners Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark The information in this book is distributed on an “As Is” basis, without warranty While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it No Starch Press 2014-11-26T08:31:28-08:00 ... new to Python I encourage you to punch out every line to get that coding muscle memory going All of the source code examples from this book are available at http://nostarch.com/blackhatpython/... that the correct version of Python is installed This book will use Python 2.7 throughout In the shell (Applications▸Accessories▸Terminal), execute the following: root@kali:~# python version Python. .. your terminal indicating that the library is being downloaded and installed Then drop into a Python shell and validate that it was installed correctly: root@kali:~#: python Python 2.7.3 (default,